plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

auth machine

Browse source
This commit is contained in:
plasmagoat 2025-07-16 02:10:31 +02:00
parent 98dce86882
commit 851a9e18db
34 changed files with 2383 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

6
nixos/hosts/forgejo-runner/runner.nix
View file

@ -13,7 +13,7 @@
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
tokenFile = config.sops.secrets."forgejo-runner-registration-token".path;
labels = [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
"node-22:docker://node:22-bookworm"
"nixos-latest:docker://nixos/nix"
## optionally provide native execution on the host:
@ -23,6 +23,10 @@
log = {
level = "debug";
};
container = {
docker_host = "automount";
};
};
};
};

16
nixos/hosts/forgejo/forgejo.nix
View file

@ -56,6 +56,22 @@ in {
actions = {
ZOMBIE_TASK_TIMEOUT = "30m";
};
ldap = {
AUTHORIZATION_NAME = "My LDAP";
HOST = "ldap.example.com";
PORT = 389;
ENABLE_TLS = false;
USER_SEARCH_BASE = "ou=users,dc=example,dc=com";
USER_FILTER = "(&(objectClass=user)(sAMAccountName=%[1]s))";
USERNAME_ATTRIBUTE = "sAMAccountName";
EMAIL_ATTRIBUTE = "mail";
FIRST_NAME_ATTRIBUTE = "givenName";
SURNAME_ATTRIBUTE = "sn";
ADMIN_FILTER = "(&(objectClass=user)(memberOf=cn=admins,ou=groups,dc=example,dc=com))";
SKIP_LOCAL_2FA = false;
ALLOW_DEACTIVATE_ALL = false;
};
oauth2 = {
};
oauth2_client = {

44
nixos/hosts/media/exportarr.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
services.prometheus.exporters.exportarr-sonarr = {
enable = true;
url = "http://media.lab:8989";
port = 9707;
openFirewall = true;
apiKeyFile = config.sops.secrets.sonarr-api-key.path;
};
services.prometheus.exporters.exportarr-readarr = {
enable = true;
url = "http://media.lab:8787";
port = 9708;
openFirewall = true;
apiKeyFile = config.sops.secrets.readarr-api-key.path;
};
services.prometheus.exporters.exportarr-radarr = {
enable = true;
url = "http://media.lab:7878";
port = 9709;
openFirewall = true;
apiKeyFile = config.sops.secrets.radarr-api-key.path;
};
services.prometheus.exporters.exportarr-prowlarr = {
enable = true;
url = "http://media.lab:9696";
port = 9710;
openFirewall = true;
apiKeyFile = config.sops.secrets.prowlarr-api-key.path;
};
services.prometheus.exporters.exportarr-lidarr = {
enable = true;
url = "http://media.lab:8686";
port = 9711;
openFirewall = true;
apiKeyFile = config.sops.secrets.lidarr-api-key.path;
};
services.prometheus.exporters.exportarr-bazarr = {
enable = true;
url = "http://media.lab:6767";
port = 9712;
openFirewall = true;
apiKeyFile = config.sops.secrets.bazarr-api-key.path;
};
}

3
nixos/hosts/media/host.nix
View file

@ -5,8 +5,7 @@
./networking.nix
./storage.nix
./nixarr.nix
./exportarr.nix
./jellyfin-exporter.nix
./sops.nix
./modules/monitoring.nix
];
}

8
nixos/hosts/media/jellyfin-exporter.nix
View file

@ -1,8 +0,0 @@
{config, ...}: {
services.prometheus.exporters.json = {
enable = true;
configFile = config.sops.secrets.jellyfin-exporter-config.path;
openFirewall = true;
user = "jellyfin";
};
}

98
nixos/hosts/media/lib/api-keys.nix Normal file
View file

@ -0,0 +1,98 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
# Helper to create API key extraction for a service
mkApiKeyExtractor = serviceName: serviceConfig: {
description = "Extract ${serviceName} API key";
after = ["${serviceName}.service"];
requires = ["${serviceName}.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
# Use DynamicUser if the parent service does
DynamicUser = serviceConfig.serviceConfig.DynamicUser or false;
# Only set User if not using DynamicUser
${
if !(serviceConfig.serviceConfig.DynamicUser or false)
then "User"
else null
} =
serviceConfig.user or null;
Group = "${serviceName}-api";
UMask = "0027"; # Results in 0640 permissions
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chown root:${serviceName}-api ${cfg.stateDir}/api-keys"
"${pkgs.coreutils}/bin/chmod 750 ${cfg.stateDir}/api-keys"
# Wait for config file to exist
"${pkgs.bash}/bin/bash -c 'while [ ! -f ${serviceConfig.stateDir}/config.xml ]; do sleep 1; done'"
];
# Bazarr api key is located a different place...
ExecStart = pkgs.writeShellScript "extract-${serviceName}-api-key" ''
${pkgs.dasel}/bin/dasel -f "${serviceConfig.stateDir}/config.xml" \
-s ".Config.ApiKey" | tr -d '\n\r' > "${cfg.stateDir}/api-keys/${serviceName}.key"
chown $USER:${serviceName}-api "${cfg.stateDir}/api-keys/${serviceName}.key"
'';
};
};
in {
config = mkIf cfg.enable {
# Create per-service API key groups
users.groups = mkMerge [
(mkIf cfg.sonarr.enable {sonarr-api = {};})
(mkIf cfg.radarr.enable {radarr-api = {};})
(mkIf cfg.lidarr.enable {lidarr-api = {};})
(mkIf cfg.readarr.enable {readarr-api = {};})
(mkIf cfg.prowlarr.enable {prowlarr-api = {};})
# (mkIf cfg.bazarr.enable {bazarr-api = {};})
];
# Add services that need API keys to their respective groups
users.users = mkMerge [
# Static users
(mkIf cfg.transmission.enable {
transmission.extraGroups = optional cfg.prowlarr.enable "prowlarr-api";
})
(mkIf cfg.transmission.privateTrackers.cross-seed.enable {
cross-seed.extraGroups = optional cfg.prowlarr.enable "prowlarr-api";
})
];
# Add api groups to services with DynamicUser
systemd.services = mkMerge [
(mkIf cfg.sonarr.enable {sonarr.serviceConfig.SupplementaryGroups = ["sonarr-api"];})
(mkIf cfg.radarr.enable {radarr.serviceConfig.SupplementaryGroups = ["radarr-api"];})
(mkIf cfg.lidarr.enable {lidarr.serviceConfig.SupplementaryGroups = ["lidarr-api"];})
(mkIf cfg.readarr.enable {readarr.serviceConfig.SupplementaryGroups = ["readarr-api"];})
(mkIf cfg.prowlarr.enable {prowlarr.serviceConfig.SupplementaryGroups = ["prowlarr-api"];})
# (mkIf cfg.bazarr.enable {bazarr.serviceConfig.SupplementaryGroups = ["bazarr-api"];})
(mkIf cfg.recyclarr.enable {
recyclarr.serviceConfig.SupplementaryGroups =
(optional cfg.sonarr.enable "sonarr-api")
++ (optional cfg.radarr.enable "radarr-api");
})
# Create API key extractors for enabled services
(mkIf cfg.sonarr.enable {"sonarr-api-key" = mkApiKeyExtractor "sonarr" cfg.sonarr;})
(mkIf cfg.radarr.enable {"radarr-api-key" = mkApiKeyExtractor "radarr" cfg.radarr;})
(mkIf cfg.lidarr.enable {"lidarr-api-key" = mkApiKeyExtractor "lidarr" cfg.lidarr;})
(mkIf cfg.readarr.enable {"readarr-api-key" = mkApiKeyExtractor "readarr" cfg.readarr;})
(mkIf cfg.prowlarr.enable {"prowlarr-api-key" = mkApiKeyExtractor "prowlarr" cfg.prowlarr;})
# (mkIf cfg.bazarr.enable {"bazarr-api-key" = mkApiKeyExtractor "bazarr" cfg.bazarr;})
];
# Create the api-keys directory
systemd.tmpfiles.rules = [
"d ${cfg.stateDir}/api-keys 0750 root root - -"
];
};
}

266
nixos/hosts/media/modules/monitoring.nix Normal file
View file

@ -0,0 +1,266 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
# Helper to determine if an exporter should be enabled
shouldEnableExporter = service:
cfg.${service}.enable
&& (cfg.${service}.exporter.enable == null || cfg.${service}.exporter.enable);
in {
imports = [../lib/api-keys.nix];
options = {
nixarr = {
exporters = {
enable = mkEnableOption "Enable Prometheus exporters for all supported nixarr services";
};
sonarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Sonarr Prometheus exporter.
- null: enable if exporters.enable is true and sonarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9707;
description = "Port for Sonarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Sonarr exporter to listen on.
'';
};
};
radarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Radarr Prometheus exporter.
- null: enable if exporters.enable is true and radarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9708;
description = "Port for Radarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Radarr exporter to listen on.
'';
};
};
lidarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Lidarr Prometheus exporter.
- null: enable if exporters.enable is true and lidarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9709;
description = "Port for Lidarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Lidarr exporter to listen on.
'';
};
};
readarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Readarr Prometheus exporter.
- null: enable if exporters.enable is true and readarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9710;
description = "Port for Readarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Readarr exporter to listen on.
'';
};
};
prowlarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Prowlarr Prometheus exporter.
- null: enable if exporters.enable is true and prowlarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9711;
description = "Port for Prowlarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Prowlarr exporter to listen on.
'';
};
};
bazarr.exporter = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Whether to enable the Bazarr Prometheus exporter.
- null: enable if exporters.enable is true and bazarr service is enabled (default)
- true: force enable if exporters.enable is true
- false: always disable
'';
};
port = mkOption {
type = types.port;
default = 9712;
description = "Port for Bazarr metrics";
};
listenAddr = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Address for Bazarr exporter to listen on.
'';
};
};
};
};
config = mkIf (cfg.enable && cfg.exporters.enable) {
# Configure Prometheus exporters
services.prometheus = {
exporters = {
# Enable exportarr for each supported service if it's enabled
exportarr-sonarr = mkIf (shouldEnableExporter "sonarr") {
enable = true;
url = "http://127.0.0.1:8989";
apiKeyFile = "${cfg.stateDir}/api-keys/sonarr.key";
port = cfg.sonarr.exporter.port;
listenAddress = cfg.sonarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-radarr = mkIf (shouldEnableExporter "radarr") {
enable = true;
url = "http://127.0.0.1:7878";
apiKeyFile = "${cfg.stateDir}/api-keys/radarr.key";
port = cfg.radarr.exporter.port;
listenAddress = cfg.radarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-lidarr = mkIf (shouldEnableExporter "lidarr") {
enable = true;
url = "http://127.0.0.1:8686";
apiKeyFile = "${cfg.stateDir}/api-keys/lidarr.key";
port = cfg.lidarr.exporter.port;
listenAddress = cfg.lidarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-readarr = mkIf (shouldEnableExporter "readarr") {
enable = true;
url = "http://127.0.0.1:8787";
apiKeyFile = "${cfg.stateDir}/api-keys/readarr.key";
port = cfg.readarr.exporter.port;
listenAddress = cfg.readarr.exporter.listenAddr;
openFirewall = true;
};
exportarr-prowlarr = mkIf (shouldEnableExporter "prowlarr") {
enable = true;
url = "http://127.0.0.1:9696";
apiKeyFile = "${cfg.stateDir}/api-keys/prowlarr.key";
port = cfg.prowlarr.exporter.port;
listenAddress = cfg.prowlarr.exporter.listenAddr;
openFirewall = true;
};
# exportarr-bazarr = mkIf (shouldEnableExporter "bazarr") {
# enable = true;
# url = "http://127.0.0.1:6767";
# apiKeyFile = "${cfg.stateDir}/api-keys/bazarr.key";
# port = cfg.bazarr.exporter.port; # 9712;
# openFirewall = true;
# };
};
};
# Add systemd services for VPN-confined exporters
systemd.services = mkMerge [
{
"prometheus-exportarr-sonarr-exporter" = mkIf (shouldEnableExporter "sonarr") {
after = ["sonarr-api-key.service"];
requires = ["sonarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["sonarr-api"];
};
"prometheus-exportarr-radarr-exporter" = mkIf (shouldEnableExporter "radarr") {
after = ["radarr-api-key.service"];
requires = ["radarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["radarr-api"];
};
"prometheus-exportarr-lidarr-exporter" = mkIf (shouldEnableExporter "lidarr") {
after = ["lidarr-api-key.service"];
requires = ["lidarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["lidarr-api"];
};
"prometheus-exportarr-readarr-exporter" = mkIf (shouldEnableExporter "readarr") {
after = ["readarr-api-key.service"];
requires = ["readarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["readarr-api"];
};
"prometheus-exportarr-prowlarr-exporter" = mkIf (shouldEnableExporter "prowlarr") {
after = ["prowlarr-api-key.service"];
requires = ["prowlarr-api-key.service"];
serviceConfig.SupplementaryGroups = ["prowlarr-api"];
};
# "prometheus-exportarr-bazarr-exporter" = mkIf (shouldEnableExporter "bazarr") {
# after = ["bazarr-api-key.service"];
# requires = ["bazarr-api-key.service"];
# serviceConfig.SupplementaryGroups = ["bazarr-api"];
# };
}
];
};
}

6
nixos/hosts/media/nixarr.nix
View file

@ -1,4 +1,8 @@
{config, ...}: {
services.sonarr.settings = {
auth.method = "External";
};
nixarr = {
enable = true;
# These two values are also the default, but you can set them to whatever
@ -34,6 +38,8 @@
sonarr.enable = true;
jellyseerr.enable = true;
exporters.enable = true;
recyclarr = {
enable = true;
configFile = ./recyclarr.yml;

30
nixos/hosts/media/sops.nix
View file

@ -4,36 +4,6 @@
mode = "0440";
};
sops.secrets.sonarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.radarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.readarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.bazarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.lidarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.prowlarr-api-key = {
sopsFile = ../../secrets/nixarr/secrets.yml;
mode = "0440";
};
sops.secrets.jellyfin-exporter-config = {
sopsFile = ../../secrets/nixarr/secrets.yml;
owner = "jellyfin";

40
nixos/hosts/media/storage.nix
View file

@ -6,18 +6,52 @@
fileSystems."/data/media/library/shows" = {
device = "192.168.1.226:/volume1/Media/TV Shows";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
fileSystems."/data/media/library/movies" = {
device = "192.168.1.226:/volume1/Media/Movies";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
fileSystems."/data/media/torrents" = {
device = "192.168.1.226:/volume1/data/torrents";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
options = [
"x-systemd.automount" # Automount on first access
"noatime" # Don't update access times (performance)
"_netdev" # This is a network device; wait for network
"defaults" # Standard default options
"rw" # Read/write access
"hard" # Hard mount (retry indefinitely on error)
];
};
systemd.services = {
# jellyfin = {
# requires = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# after = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# onFailure = ["data-media-library-movies.mount" "data-media-library-shows.mount"];
# };
# transmission = {
# requires = ["data-media-torrents.mount"];
# after = ["data-media-torrents.mount"];
# onFailure = ["data-media-torrents.mount"];
# };
};
}

7
nixos/hosts/traefik/configuration/auth/routers.nix
View file

@ -6,6 +6,13 @@
tls.certResolver = "letsencrypt";
};
authelia = {
rule = "Host(`authelia.procopius.dk`)";
service = "authelia";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
oauth2proxy = {
rule = "Host(`radarr.procopius.dk`) && PathPrefix(`/oauth2/`)";
service = "oauth2proxy";

3
nixos/hosts/traefik/configuration/auth/services.nix
View file

@ -1,5 +1,6 @@
{
authentik.loadBalancer.servers = [{url = "http://authentik.lab:9000";}];
keycloak.loadBalancer.servers = [{url = "http://keycloak.lab:8080";}];
oauth2proxy.loadBalancer.servers = [{url = "http://localhost:4180";}];
authelia.loadBalancer.servers = [{url = "http://auth.lab:9091";}];
}

7
nixos/hosts/traefik/configuration/monitoring/routers.nix
View file

@ -19,6 +19,13 @@
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
gatus = {
rule = "Host(`gatus.procopius.dk`)";
service = "gatus";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
tls.certResolver = "letsencrypt";
};
umami = {
rule = "Host(`umami.procopius.dk`)";
service = "umami";

1
nixos/hosts/traefik/configuration/monitoring/services.nix
View file

@ -2,5 +2,6 @@
prometheus.loadBalancer.servers = [{url = "http://monitor.lab:9090";}];
grafana.loadBalancer.servers = [{url = "http://monitor.lab:3000";}];
alertmanager.loadBalancer.servers = [{url = "http://monitor.lab:9093";}];
gatus.loadBalancer.servers = [{url = "http://monitor.lab:8080";}];
umami.loadBalancer.servers = [{url = "http://192.168.1.226:3333";}];
}